Imperva Cyber Community

Expand all | Collapse all

Filter Events that are forwarded to Data Risk Analytics

  • 1.  Filter Events that are forwarded to Data Risk Analytics

    Posted 06-30-2020 17:15
      |   view attached
    Hello,

    I have been trying to apply an advance filter criteria to the CounterBreach DAM AA1 audit policy so that only audit data that match event for a specific database is sent to Data Risk Analytics. So far the filtering failed. 

    Is there a reason why this filtering does not work when when matching on queries?
    #DatabaseActivityMonitoring

    ------------------------------
    samson adewale
    GA
    ------------------------------


  • 2.  RE: Filter Events that are forwarded to Data Risk Analytics

    Imperva Employee
    Posted 07-02-2020 04:10
    Hi Samson,

    Is there a specific reason you are trying to filter out DBs?
    Are you trying to filter out audit for only specific DBs within a Server Group/Service, or entire blocks of DBs making up an entire Server Group Service?

    In general terms, DRA expects to get all audit data so that it can build up a very accurate picture of a normal traffic profile. If elements of the DB traffic/audit are filtered out at source, this affects the accuracy of the learning algorithms and this is undesireable as it could create false positives which are bad as they can dilute effort, or false negatives which are bad as they can miss bad activity.

    ------------------------------
    Stefan Pynappels
    Escalation Engineer
    Imperva
    ------------------------------



  • 3.  RE: Filter Events that are forwarded to Data Risk Analytics

    Posted 07-02-2020 16:29
    Well, the issue is that we have exadatas which hold many many databases, and most of which are out of scope for our database monitoring efforts. We simply want DRA to receive only audit data for the databases that are in scope and profile those activities. 

    All of the exadata nodes in the cluster are set up in the server group, and the in-scope applications are setup under 1 database service to allow for accurate application profiling. 

    We are not trying to filter out useful elements from our exadatas, we just want to have control over the database traffic that we monitor with the DRA. At this time, we are receiving too much data for databases that we do not care to monitor at this time. 

    Is this possible?




    ------------------------------
    samson adewale
    GA
    ------------------------------



  • 4.  RE: Filter Events that are forwarded to Data Risk Analytics

    Imperva Employee
    Posted 07-20-2020 14:10
    Samson,
    When you say the filtering doesn't work, do you mean it won't save?  Or you are applying the filter and this data is still being transmitted?

    If you are using the out of the box DRA (CounterBreach) policy, you won't be able to make changes.  You will have to clone the policy and then modify the cloned policy.  After you clone the policy, you will have to update the DRA with the new policy name.  Those instructions are located here:  https://docs.imperva.com/bundle/v3.1-data-risk-analytics-user-guide/page/60546.htm

    ------------------------------
    Paul Hammons
    Imperva Senior Sales Engineer
    Cape Coral, Florida
    ------------------------------



  • 5.  RE: Filter Events that are forwarded to Data Risk Analytics

    Posted 07-20-2020 14:37
    Paul,

    I am applying the filter and the data is still being transmitted to the DRA resulting in incidents being generated for out of scope databases. 

    So far this seems to be a bug in the 13.6 version but we are  waiting confirmation from Imperva support.

    Samson Adewale
    Security Engineer
    Atlanta, Ga

    ------------------------------
    samson adewale
    GA
    ------------------------------



  • 6.  RE: Filter Events that are forwarded to Data Risk Analytics

    Imperva Employee
    Posted 07-21-2020 11:36
    Samson,
    Have you tried to exclude the databases from the Agent Monitoring Rules screens, under Global Objects?  You can specifically exclude databases and disable CounterBreach (DRA) sampling here also.

    How to disable CounterBreach sampling in AMR


    ------------------------------
    Paul Hammons
    Imperva Senior Sales Engineer
    Cape Coral, Florida
    ------------------------------



  • 7.  RE: Filter Events that are forwarded to Data Risk Analytics

    Posted 07-21-2020 12:14
    Paul,

    There is already an Agent monitoring Policy in place to exclude databases that are not in scope but we are still seeing traffic for those excluded databases in audit data and subsequently DRA. 

    Wondering if there is a known bug in version 13.6.

    Samson Adewale
    Seccurity Engineer


    ------------------------------
    samson adewale
    GA
    ------------------------------



  • 8.  RE: Filter Events that are forwarded to Data Risk Analytics

    Imperva Employee
    Posted 07-21-2020 17:34
    Samson,
    I am not aware of any bug on this, Support would have to research this for you.  It does appear to be configured correctly in both the AMR and the Audit Policy.  Both locations should independently be filtering out the excluded databases.  If it is not, Support will have to help you dig further.

    ------------------------------
    Paul Hammons
    Imperva Senior Sales Engineer
    Cape Coral, Florida
    ------------------------------



  • 9.  RE: Filter Events that are forwarded to Data Risk Analytics

    Posted 07-21-2020 18:45
    Thanks Paul,

    Support is already engaged and are looking into the issue. 

    Will update this thread with any new information as necessary.

    Samson Adewale
    Security Engineer

    ------------------------------
    samson adewale
    GA
    ------------------------------



  • 10.  RE: Filter Events that are forwarded to Data Risk Analytics

    Impervian
    Posted 07-22-2020 10:13
    Hello,

    In my knowledge only matches that begin with "Agent Criteria.." are not forwarded to GW and its up to agent to decide if teh traffic should be monitored or not. 
     Other matches, always communicate with GW and get the decision if events should be monitored, so regardless if you excluded an event the initial session would be captured, but not the rest of session.

    Just a hint, i am sure support would be more precise & helpful lol.


    ------------------------------
    Sabajete Elezaj
    SNT Albania
    ------------------------------



  • 11.  RE: Filter Events that are forwarded to Data Risk Analytics

    Posted 07-22-2020 12:50
    Hi thanks for replying,

    That is correct. I am aware of the agent criteria as well. While my current config will not filter the traffic at the agent level, my understanding is that it should at least filter it at the gateway level and still prevent those traffic from being profiled and audited in the MX. 

    We are seeing more than the initial session being monitored. 

    Thank you

    ------------------------------
    samson adewale
    GA
    ------------------------------



  • 12.  RE: Filter Events that are forwarded to Data Risk Analytics

    Impervian
    Posted 07-22-2020 12:03
    Hi Samson,

    Could you try to change criteria as "At least one" for Database and Schema setting if you desire to exclude the DBs at the right side?

    ------------------------------
    cezmi çal
    technical expert
    Barikat Cyber Security
    ------------------------------



  • 13.  RE: Filter Events that are forwarded to Data Risk Analytics

    Posted 07-22-2020 12:56
    Hi, Thanks for your response. 

    The databases in the Database and Schema setting are the DBs that ARE in scope and we want to monitor. The agent monitoring policy is looking to BLOCK traffic. So we need to use the exclude all (double negative)  to match all other databases that are not in scope so that traffic to them can be filtered using the agent monitoring rule. 

    Samson Adewale
    Security Engineer

    ------------------------------
    samson adewale
    GA
    ------------------------------